diff --git a/charts/apps/templates/sealedsecrets.yaml b/charts/apps/templates/sealedsecrets.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ac48e57c4ad0954ddaba0afdc12c2972a2137f76
--- /dev/null
+++ b/charts/apps/templates/sealedsecrets.yaml
@@ -0,0 +1,33 @@
+{{ if .Values.sealedsecrets.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.cluster.name }}-sealed-secrets
+  labels:
+    cluster: {{ .Values.cluster.name | quote }}
+    app: sealed-secrets
+  namespace: argocd
+  annotations:
+    {{- toYaml .Values.notifications | nindent 4 }}
+spec:
+  project: {{ .Values.cluster.name }}
+  destination:
+    server: {{ .Values.cluster.url }}
+    namespace: kube-system
+  syncPolicy:
+    {{- if .Values.sync }}
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    {{- end }}
+    syncOptions:
+      - CreateNamespace=true
+  source:
+    repoURL: https://bitnami-labs.github.io/sealed-secrets/
+    chart: sealed-secrets
+    targetRevision: {{ .Values.sealedsecrets.version | quote }}
+    helm:
+      version: v3
+      releaseName: sealed-secrets
+{{- end }}
diff --git a/charts/apps/values.yaml b/charts/apps/values.yaml
index bcf13c2379f4ffbae3d4cc835c4fb8878d860a6a..4ff548b24f8b8a42515cb2a077a1f2cc176bee8c 100644
--- a/charts/apps/values.yaml
+++ b/charts/apps/values.yaml
@@ -35,6 +35,10 @@ ingresscontroller:
   traefik2:
     version: "10.*"
 
+sealedsecrets:
+  enabled: false
+  version: "0.*"
+
 metallb:
   enabled: false
   version: "0.10.*"
diff --git a/terraform/modules/argocd/argocd.tf b/terraform/modules/argocd/argocd.tf
index 3c6496a2b284f6ad8d027567d383f16dcee23359..7461a598ea78cc542a028620c6a8da5323cfa85a 100644
--- a/terraform/modules/argocd/argocd.tf
+++ b/terraform/modules/argocd/argocd.tf
@@ -43,6 +43,7 @@ locals {
     traefik_dashboard           = var.traefik_dashboard
     acme_staging                = var.acme_staging
     acme_email                  = var.acme_email
+    sealedsecrets_enabled       = var.sealedsecrets_enabled
     healthmonitor_enabled       = var.healthmonitor_enabled
     healthmonitor_nfs           = var.healthmonitor_nfs
     healthmonitor_notifications = var.healthmonitor_notifications
diff --git a/terraform/modules/argocd/templates/argocd.yaml.tmpl b/terraform/modules/argocd/templates/argocd.yaml.tmpl
index a241a831c81d5f1e3f7b4aee9799f8bd8edb2531..6f39b8b30c60fdb2b138464bea963d6df36a0dd0 100644
--- a/terraform/modules/argocd/templates/argocd.yaml.tmpl
+++ b/terraform/modules/argocd/templates/argocd.yaml.tmpl
@@ -81,6 +81,9 @@ spec:
           #notifiers:
           #  %%{ indent(12, healthmonitor) }%
 
+        sealedsecrets:
+          enabled: ${sealedsecrets_enabled}
+
         longhorn:
           enabled: ${longhorn_enabled}
           replicas: ${longhorn_replicas}
diff --git a/terraform/modules/argocd/variables.tf b/terraform/modules/argocd/variables.tf
index 58328a2c65b4023a755163e1414929e3da48ee07..7031b77a8847ca4c73ff0091b05efb213a5f84c2 100644
--- a/terraform/modules/argocd/variables.tf
+++ b/terraform/modules/argocd/variables.tf
@@ -160,6 +160,12 @@ variable "healthmonitor_notifications" {
   default     = ""
 }
 
+variable "sealedsecrets_enabled" {
+  type        = bool
+  description = "Enable sealed secrets"
+  default     = false
+}
+
 variable "metallb_enabled" {
   type        = bool
   description = "Enable MetalLB"